There are a couple of approaches.
1. Backup the old certs to datasets, delete the certs, add new certs.
2. Keep the old certs, add new certs with different unique names, remove the old certs from keyring and add the new certs to the keyring. Since you dont delete anything, you can put it back easily.
3. Use the TSS RENEW command, but can only be used against certs created by CA Top Secret and not a 3rd party Certificate Authority.
4. Use TSS REKEY/ROLLOVER if the new certificate needs to added to many keyrings.
There are benefits to each approach.
1 Is easiest to do, but backing out is not as easy as 2.
2 Is second easiest to do administratively but easiest to backout.
3 Quickest method to renew but the certs must be created by CA Top Secret.
4. Hardest to backout but easiest if you have thousands of keyrings you need to add the certifciate to. If you dont have thousands of keyrings and only have a few keyrings, 1 or 2 is a easier/better option.